Tag Archives: Insufficiently Secure Premises

Post navigation

Breach details

What

Highly sensitive and confidential information, including copies of police interview tapes, were left in the basement of a former police station, which had been sold in September 2012. This was discovered after a police officer visited some business premises on an entirely separate matter, and noticed a box of videotapes with the logo and name of Kent Police. The owner confirmed that he had found the videotapes and was intending to view the contents of the videotapes as a possible source of entertainment

How much

Numerous records dating as far back as the late 1980s.

When

28 November 2012.

Why

In the absence of any specific policies or procedures, it was unclear who was ultimately responsible for ensuring that the former police station was vacant at the point of sale. This lack of documented procedures was made worse by a failures in communication between the different departments involved in the extended process of decommissioning the building.

Regulatory action

Regulator

ICO

Action

Monetary penalty of £100,000

When

19 March 2014.

Why the regulator acted

Breach of act

Breach of the Seventh Data Protection Principle: Kent Police failed to take appropriate organisational measures against unauthorised processing and accidental loss of confidential and sensitive personal data, such as having specific procedures in place to ensure that the basement of the former police station had been cleared of all items before it was sold to a buyer.

Known or should have known

The data controller was used to dealing with such information and had taken some steps to safeguard the information by carrying out inspections of the former police station, even though the steps taken proved to be inadequate.

Likely to cause damage or distress

The failure to take appropriate organisational measures was likely to cause substantial distress to the data subjects even if this is simply by knowing that their confidential and sensitive personal data could have been accessed by the buyer who had no right to see that information. Furthermore there was a risk that the data may be further disseminated, such as to the media, or used for other purposes by the buyer, with the potential to cause substantial damage to witnesses and informants, such as by putting them at risk of physical harm.

Breach details

An unencrypted, unsecured laptop containing the details of 970 individuals who had attended hospitality events organised by Panasonic UK was stolen from an unlocked hotel room. These events were being run by a third party company on behalf of Panasonic, and Panasonic’s comprehensive data protection policies that would have prevented this breach were therefore not automatically applied. However, it appears that these policies were not communicated to the company and the data protection provisions listed in the contract were extremely limited. Moreover, passport information was collected from all guests and then retained regardless of whether this information was necessary.

Regulatory action

Regulator

ICO

Action

Undertaking to comply with the seventh data protection principle.

When

Unknown.

Details

Panasonic UK is to ensure that all third party company data controllers are governed by adequate contracts and checks to ensure that they are complying with data protection policies. Panasonic are also to ensure that personal data is only collected for a specified, valid purpose and is not retained for longer than is necessary. Other security measures should be implemented as appropriate.

Breach details

An earlier enforcement notice was issued in 2010. Since then, previous thefts had occurred from the Council’s offices and physical security had not been improved. In addition, unencrypted laptops were still being issued and over 70 unencrypted laptops were unaccounted for.

BW Comments

A Monetary Penalty Notice was issued to Glasgow in respect of this breach but the quality of IT asset management at the Council was obviously so poor that the ICO felt it needed to issue an enforcement notice as well.

Regulatory action

Regulator

ICO

Action

Enforcement Notice

When

04 June 2013

Details

Enforcement Notice issued to ensure that asset management is improved. A full audit of existing IT assets relating to personal information must be undertaken by 30 June 2013, along with asset management training for managers and reissuing information security guidelines to staff. A new asset register must be completed by 31 July 2013 and updated on a yearly basis.

Breach details

Boxes of paper records were left in a decommissioned building, in full view of prospective purchasers of the building. The eventual purchaser opened the boxes and discovered the information, some relating to people known by the purchaser.

Regulatory action

Regulator

ICO

Action

Monetary penalty of £ 100,000

When

30 May 2013

Why the regulator acted

Breach of act

Breach of the seventh principle: the Council failed to take appropriate organisational measures against the accidental loss of 1,000 documents, some of them containing sensitive personal data.

Known or should have known

The NHS trust was used to handling sensitive personal data and would have known such information was stored on the site but did not take ‘reasonable steps’ to safeguard the data such has having a decommissioning policy.

Likely to cause damage or distress

There was the potential for substantial distress as data subjects would know that their sensitive personal data had been accessed by an unauthorised party and that the data might be further disseminated. This was exacerbated as some data subjects were known to the data controller.

WhyConfidential social services files were found in an abandoned Enfield town hall currently in use as a film set. The files were labelled “Foster panel minutes” and “Adoption files”, and marked “strictly private and confidential”. They included details of parents turned down for adoption, the phone numbers and addresses of vulnerable people on the service’s register, and financial information.

Breach details

What

Loss of sensitive personal data.

How much

About 10,000 records.

When

May 2010

Why

Confidential and sensitive personal data consisting of patient and staff records, dating as far back as the 1950s, were stored in a disused site. The site had security guards but the CCTV and intruder alarms had fallen into disuse and overall security was weak. Intruders gained access to the site and posted photographs of the physicals records there on the internet. Despite security upgrades following this incident intruders were able to gain access to the site on a second occasion. The security breaches were not reported to the ICO.

Regulatory action

Regulator

ICO

Action

Monetary penalty of £ 225,000

When

19 June 2012

Why the regulator acted

Breach of act

Site was insufficiently secure to prevent intrusion.
Inappropriate organisational and technical measures.

Known or should have known

The insufficient amount of security was “clear”, and security upgrades after the first intrusion were clearly insufficient.

Breach details

What

Loss of sensitive personal information.

How much

79,000 records.

When

March 2008

Why

Initially four hard drives sold eBay in October and November 2010 were found to contain were found to contain sensitive personal data of both patients and staff. Despite the Trust’s assurance that these were the only drives lost, further hard drives were recovered by the ICO after being sold on eBay. The Trust was unable to explain how an unnamed individual, who was sub-contracted by a sub-contractor to the IT supplier to the Trust to destroy the 1,000 hard drives, managed to remove at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on the premises. Despite the security precautions taken there were insufficient records taken to provide a reliable audit trail of which hard drives were and were not destroyed.

Regulatory action

Regulator

ICO

Action

Monetary penalty of £ 325,000

When

1 June 2012

Why the regulator acted

Breach of act

Failure to select a data processor able to provide gurantees of technical security – loss of hard drives.
Inappropriate organisational and technical measures.

Known or should have known

Data controller was used to dealing with such information on a daily basis and the huge volume of personal data on the hard drives was an obvious risk.

What

Loss of sensitive personal data.

How much

Approximately 2,000 records.

Why

Theft of a patient medication record system.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate procedures are put in place to ensure that PMR pharmacy data is securely handled prior to any future transfer of pharmacy ownership. All staff must be made aware of the data controller’s procedures for the safe storage and retrieval of personal data.

Reason for action

The PMR system was stolen for the pharmacy while it was undergoing a transfer of ownership. Although the PMR was password protected the data controller had not taken adequate steps to safely retrieve the PMR system and return it to the wholesale company, whom they had been paying a monthly retainer to, prior to the transfer of ownership process.

Breach details

What

Loss of sensitive personal information.

How much

15 records.

When

23 April 2011

Why

Paper records relating to vulnerable children were stolen from a social worker’s home. Although it was accepted that the paper records needed to be taken home and that there was a policy in place to cover it, it was felt that the policy did not address the risk identified by this security breach.

What

Loss of personal and sensitive personal data.

How much

40 records.

Why

Theft of an unencrypted laptop from a locked ground floor office in the Newcastle area.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile devices including laptops are encrypted to a sufficient standard. Physical security standards must be adequate to prevent unauthorised access to personal data.

Reason for action

The stolen laptop was password protected, but had not been encrypted, However the data controller proposed to improve physical software and implement encryption as a result of the incident.